Is WordPress insecure? (no, it isn’t!)

I think it’s a silly question and often misinterpreted by newbies/non-coders for all the wrong reasons. If you even had to ask this question, I would say WordPress is more than secure enough you!

But first off, what IS “security” anyways?

The word “secure” means different things to different people.

  • To an average person – “secure” means that it’s hackproof and your sensitive data is safe from thieves/bad-guys, also very low instances of ever getting hacked.
  • To an experience developer – “secure” means that it’s coded to best practices, commonly-used and updated often.

If you go by the average person’s definition of “security”, nothing is secure and the best website is one that nobody knows about, has very little features, and therefore not as often a target for hackers.

But if you go by the experienced developer’s definition of “security”, then WordPress is incredibly secure because everybody uses it and therefore it’s well-maintained by not only the core organization but also the community.

“Security” is about function

The only reason why any software could ever be a hack target is because it can do many things and store all kinds of information. To suggest WordPress is insecure is about the same as suggesting that doors are “insecure because they let bad guys in”. Well…doors serve a function of letting personnel in and out of your place. So in a way, WordPress has many areas to protect because it can do so many incredible things…blog, company site, store, etc.

Why on earth would you use something “more secure” if it doesn’t allow you the functionality you need?

“Security” is relative

Back to the door analogy. Doors are only insecure if 1) you don’t need them, and 2) you can build a better door. Most of you can’t. And likewise with WordPress, most of you cannot build a better CMS and maintain it properly over time than the WordPress community can.

If you (or your developer) is not skilled enough or do not have the resources to build a better CMS, then WordPress would clearly be the most functional and secure option for you.

“Why are people getting hacked if WordPress is so secure?”

People get hacked when they run outdated or poorly-coded themes and plugins. They can also get hacked when they have an insecure server. They can also get hacked when they choose weak passwords that are easy for robots to guess. Keep your software updated and regularly vetted for code quality, or hire someone to worry about that stuff for you.

“Can you still get hacked even if you always update your WordPress core and extensions?”

Absolutely. Even banks and the government get hacked. The idea though is that you lock your stuff enough that the energy and time they spend to get in isn’t worth it.

“What about WordPress security plugins?”

That’s a whole other can of worms. Some of them are more useful than others. Some features are more useful than others. Your developer would know best.


One thought on “Is WordPress insecure? (no, it isn’t!)

  1. Hi Johnny!

    Please let me know your opinion.

    What do you think about static site generators? Example: Jekyll, Hugo, etc.

    They work very fast. And they are very safe. Also, static site generators load hosting (server) very little.

    What do you think. To create typical blogs, niche websites should use a static site generator? Is it better than WordPress?

Leave a Reply

Your email address will not be published. Required fields are marked *